Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Pelikan on October 20, 2007, 03:29:37 PM
-
Hi. After scanning my PC with Avast Home Edition 4.7 it discovered more than 1700 infected files..! Now, I moved part of them to the Chest and others still in "move/rename" folder. I couldnt find any "virus healing" option on Avast interface, it only suggests delete or move file to chest. Is it possible somehow to heal infected files w/o deleting them?(VRDB is alrd created as I understand, but not clear where it keeps this backups and how to restore them..?) I wouldnt like to delete many of those files that contain useful texts(in Word.doc or Html formats). Also, copying their contents into text format in the Notepad is quite bothersom work...
It also showed some system files infectded, which it moved to chest (Kernel32.dll, winsock.dll, wsock32.dll, - C:\windows\system32). What to do to them?
My Windows Xp works well and I liked how Avast found so many viruses. Your kind advice on this problem would be much appreciated.
Thanks.
-
hard to say anything, cause we don't know what type of malware is so spreaded in your PC... can you tell us more or pack the scan results and post them here as attachment?
-
VRDB is alrd created as I understand, but not clear where it keeps this backups and how to restore them..?
avast manages the VRDB itself. Only some executable files could be restored (cleaned). It's not a backup feature, rather a feature to recover some executable files from some infections.
It also showed some system files infectded, which it moved to chest (Kernel32.dll, winsock.dll, wsock32.dll, - C:\windows\system32). What to do to them?
If they are in the 'System' folder of the Chest, they're there for backup purposes.
If they are in the 'Infected' folder, you can let them into Chest, without harm, for further analysis.
-
The VRDB only protects certain files, .exe, etc. it doesn't protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won't be an option.
Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast's VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.
However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can't be repaired because the complete content of the file is malicious.
Trojans generally can't be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can't do any harm and you can investigate the infected warning.
-
Wow 1700 infected files? ? ?
Will be good to format your PC, reinstall Windows and install Avast! on the clean computer ... not because Avast! can't clean your system, because your system will not work good.
-
I'd hold off on the reformatting. Without knowing what the files and detections are, that sounds pretty drastic.
There's false positive to take into account also.
Pelikan, you should take a few samples from a group of files with, say the .doc extention and submit them to http://www.virustotal.com It's an online multiscanner. You would have to move them out of the chest to a temporary folder before submitting. Post back the results of the scans.
-
Absolutely agree a suggestion of a reformat based on insufficient information is too soon in the game.
Whilst 1700 infected files found is a bad situation indicating a possibly seriously compromised system. It is possible that there is/was a trojan downloader, backdoor or hidden elements, but that we have to find out.
-
Sometimes, just one of two infections could be due to such a high of infected files.
Without further information (name of virus, name and path of the infected files or some of them, etc.) is difficult to judge.
-
hard to say anything, cause we don't know what type of malware is so spreaded in your PC... can you tell us more or pack the scan results and post them here as attachment?
Thank you for this advises. Thank other members too for their insights. Will make decision after carefully weighing all cons and pros'.
Genrally, the viruses it shows in the list are these:
1)Win32:Adware-gen[Adw] (found in sinstaller2.exe)
2)Win32:VB-EQB[trj] (found in all other files(most of them Html, Doc))
As for system files like kernel32.dll and winsock.dll it moved to chest but doesnt show the definition of the virus.
Looking forward to ur comments, thanks a lot.
P.S. Does it help if after eventually deciding to format C:\ disk and reinstalling Windows, to additionally double-scan system by two alternative antiviruses, say Avast and KAV (Kaspersky av) ? I cudnt activate "healing" or "recovering" option in Avast Home edition. Does the Avast.Pro have it?
-
I'd hold off on the reformatting. Without knowing what the files and detections are, that sounds pretty drastic.
There's false positive to take into account also.
Pelikan, you should take a few samples from a group of files with, say the .doc extention and submit them to http://www.virustotal.com It's an online multiscanner. You would have to move them out of the chest to a temporary folder before submitting. Post back the results of the scans.
Hi, Sending a copy of Virustotal scan result of some of my files. its in *txt format, but if opened in *Doc can be seen the actual page of Virustotal scan results. It found a lots of virus names.... :-\
-
The System Files section of the chest contains copies of important system files, they are not infected, they are placed there by avast as a back-up copy in case the original became infected. Only avast can uses these files.
I would imagine most of these .html files were found in the temporary internet files folder ?
If so these aren't such a problem and I would suggest you completely clear your Temporary Internet Files.
The .doc files are more of a concern if they are your own .doc files that are infected ?
If I'm reading the malware name right this is a Visual Basic (VB) trojan, I don't know how macros work in word if they are able to run VB from within the .doc file.
So I would appreciate some input from Maxx_original. Also since the majority of trojans aren't infecters but completely malicious content, is this an exception that infects .doc files ?
@ Pelikan
Your attachment isn't a txt file but garbled, just copy and paste the contents of the screen into the post.
If the nuclear option is chosen and we aren't there yet, if you start from scratch, having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
-
pelikan: can you send some files from your chest to our virus lab? we can validate te VB virus detection..
-
pelikan: can you send some files from your chest to our virus lab? we can validate te VB virus detection..
Hi, I only can extract from virus chest and send by yahoo.mail attachment, cos I dont use resident email program(IMAP or SMTP) on my PC. To which email address can I send them?
Thanks.
-
The System Files section of the chest contains copies of important system files, they are not infected, they are placed there by avast as a back-up copy in case the original became infected. Only avast can uses these files.
I understand, thnks 4clarification.
I would imagine most of these .html files were found in the temporary internet files folder ?If so these aren't such a problem and I would suggest you completely clear your Temporary Internet Files.
no, unfortunately, those were mostly books and articles in Html format which I downloaded before from online libraries..
The .doc files are more of a concern if they are your own .doc files that are infected ?
If I'm reading the malware name right this is a Visual Basic (VB) trojan, I don't know how macros work in word if they are able to run VB from within the .doc file.
So I will wait till it clears up with viruses, if ALWIL lab can feedback on them and then make decision on reformatting or re-cleaning the whole system.
@ Pelikan
Your attachment isn't a txt file but garbled, just copy and paste the contents of the screen into the post.
I see, wl try to do this.
If the nuclear option is chosen and we aren't there yet, if you start from scratch, having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
Ok, got it.
Thks.
-
@ Pelikan
Your attachment isn't a txt file but garbled, just copy and paste the contents of the screen into the post.
File infected_files.rar received on 10.21.2007 14:17:26 (CET)
Current status: waiting
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Compact
Print results
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.10.20.0 2007.10.19 -
AntiVir 7.6.0.27 2007.10.20 HTML/Dldr.Agent.bp
Authentium 4.93.8 2007.10.20 HTML/IFrame
Avast 4.7.1051.0 2007.10.21 Win32:VB-EQB
AVG 7.5.0.488 2007.10.20 -
BitDefender 7.2 2007.10.21 Trojan.Clicker.HTML.IFrame.AC
CAT-QuickHeal 9.00 2007.10.20 HTML/Agent.CP
ClamAV 0.91.2 2007.10.20 HTML.Iframe-6
DrWeb 4.44.0.09170 2007.10.21 -
eSafe 7.0.15.0 2007.10.15 JS.Agent.bs
eTrust-Vet 31.2.5225 2007.10.20 -
Ewido 4.0 2007.10.21 Adware.Comet
FileAdvisor 1 2007.10.21 -
Fortinet 3.11.0.0 2007.10.19 Adware/Comet
F-Prot 4.3.2.48 2007.10.20 HTML/IFrame
F-Secure 6.70.13030.0 2007.10.21 HTML/IFrame
Ikarus T3.1.1.12 2007.10.21 Trojan-Downloader.HTML.Agent.bp
Kaspersky 7.0.0.125 2007.10.21 Trojan-Downloader.HTML.Agent.cp
McAfee 5145 2007.10.19 potentially unwanted program Adware-Cometsys
Microsoft 1.2908 2007.10.21 Exploit:HTML/IframeRef.gen
NOD32v2 2604 2007.10.19 HTML/TrojanDownloader.Agent.BP
Norman 5.80.02 2007.10.19 -
Panda 9.0.0.4 2007.10.21 W32/Radoppan.AI
Prevx1 V2 2007.10.21 ADWARE.COMET.C.1.A
Rising 19.45.62.00 2007.10.21 Trojan.DL.Delf.xuh
Sophos 4.22.0 2007.10.21 Troj/Fujif-Gen
Sunbelt 2.2.907.0 2007.10.20 -
Symantec 10 2007.10.21 Trojan.Dowiex!inf
TheHacker 6.2.9.103 2007.10.21 -
VBA32 3.12.2.4 2007.10.19 AdWare.Win32.Comet.ac
VirusBuster 4.3.26:9 2007.10.20 -
Additional information
File size: 159939 bytes
MD5: 76c41f254e8a8efa72dac75fed58cf1d
SHA1: 478fb0803f2f757b1f3115d7b4c4db6f7b0dcfa1
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=A9D9E1B29F540BB88E23008178754900023F604E
-
How many files where in the folder?
-
pelikan: you can send some samples to virus[at]avast[dot]com from your yahoo account.. ;)
-
pelikan: you can send some samples to virus[at]avast[dot]com from your yahoo account.. ;)
Hi, Max. Have just sent a bunch of files. Will wait for your reply. Thanks a lot. :)
-
I would echo oldman's question of how many files were in the .rar as there is a large spread of supposedly different malware types. This could be compounded if you also sent a mix of suspect .html and .doc files.
However, it does show that avast isn't alone in its detections, unfortunately we can't compare what has been detected on a file for file basis.
-
I suppose my suggestion was a bit fuzzy. I should have made it clear to submit 1 sample file at a time. A sample .doc, html, etc
-
How many files where in the folder?
eehm,...dont quite remember alrd..I put randomly few of them (with various virus names), may be 5 or 6 total, taken from Avast virus Chest, packed with rar and uploaded to that site, later sending the same to Maxx for chekup. Im not sure I understand correctly what you suggest. Where do u want me to submit these files one by one?
Thks
-
pelikan: i can't help myself, but i've still got no attachment with your samples.. only a plaintext e-mail ???
-
How many files where in the folder?
eehm,...dont quite remember alrd..I put randomly few of them (with various virus names), may be 5 or 6 total, taken from Avast virus Chest, packed with rar and uploaded to that site, later sending the same to Maxx for chekup. Im not sure I understand correctly what you suggest. Where do u want me to submit these files one by one?
Thks
Sorry, what I meant was 1 or 2 files from the .doc group and the same with the html and submit them 1 by one. This would give an accurate indication of what the file is being identified as. By submitting the folder, all content was scanned at once. That's why the results show such a wide range of infections.
I'm not sure, but your attachment may be getting stripped off on the way to avast. Maxx can correct me if I'm wrong, but I think a password protected rar is needed.
-
oldman: maybe.. i'll wait for next pelikan's attempt to send the files to me.. :)
-
Sorry, what I meant was 1 or 2 files from the .doc group and the same with the html and submit them 1 by one. This would give an accurate indication of what the file is being identified as. By submitting the folder, all content was scanned at once. That's why the results show such a wide range of infections.
I'm not sure, but your attachment may be getting stripped off on the way to avast. Maxx can correct me if I'm wrong, but I think a password protected rar is needed.
I see. I will send them again to Maxx given email (I understand you both r in one Avast group?). The matter is actually that I deleted some infected *exe files from virus Chest, by the advice of few technicians in one Russian PC forum...they told me such files are unrepairable (here I bring a list again):
Html document ----------- Win32:VB-EQB[trj] (found in all other files(most of them Html, Doc)
crack_reg.exe ----------- Win32:Startpage-178[trj]
fgf10.exe ----------------Win32:Spyware-gen[trj]
icq98a_nm.exe ------------Win32:Trojan-gen{VC}
sinstaller2.exe ----------Win32:Adware-gen[Adw]
Besides, they where quite bulky in size to conveniently send. I only left this one so far: Win32:Spyware-gen[trj]. All others as I said, are: Win32:VB-EQB[trj].
So I think I could send to you guys these two types: 1) fgf10.exe ----------------Win32:Spyware-gen[trj] AND 2) Html document ----------- Win32:VB-EQB[trj]
Does it make sense to submit several files from *Doc and *Html group, if all of them are infected with one type of virus?
Am I right? Sorry if I'm slow in getting what you mean..Trying to do my best.
-
You're doing fine.
You're right if all the files in a group are being detected the same, then one sample should be enough.
BTW, I'm just a user like you, trying to get the most out of avast.
-
You're doing fine.
You're right if all the files in a group are being detected the same, then one sample should be enough.
BTW, I'm just a user like you, trying to get the most out of avast.
Thanks for that. )) Where did u want me 2send that file, to your email or here in the theme?
-
Send them to Maxx, he's the guy to look at them.
-
Where did u want me 2send that file, to your email or here in the theme?
Or even virus@avast.com 8)
-
the detections are valid... the htm contains mal iframes at the end of file and the installer contains ad/spy module... i don't know where the infection comes from, but you should run HJT and look for some strange processes, reg entries etc..
-
This will get you started
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
-
the detections are valid... the htm contains mal iframes at the end of file and the installer contains ad/spy module... i don't know where the infection comes from, but you should run HJT and look for some strange processes, reg entries etc..
I understand Max, thank you for that. Wl use this scaner and feedback. Thanks a lot!
-
This will get you started
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
I got it. Will do as you say and come back 2u soon. likely tmorrow cos its quite late here by now..))
Thank you so much.
-
Hi Oldman, here goes the log file of HJT today scan.
Also, when I was trying to repair files by Avast (by clicking Schedule boot-time link), it couldnt do it, - during restart of the system it promptly shows blue window with blinking lines saying smtg like: "error/operation failure/can't repair file". and then, when I'm back, those infectd files still remain unchanged and alarm window anounces virus warning msg when I scan them. My question was: what cud be the true reason of why it cudn't repair infected files? Wud it help more if I had Avast Pro installed? If some files are showing unrepairable but I need them, what to do? Try to "heal" them with other Antiviruses maybe?
Thanks again.
--------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:27 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yandex.ru/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.intel.com/support/go/downloads
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 3679 bytes
-
why can't your files be repaired? because the iframe injection is too variable and there's almost no possibility to detect (algorithmically) where the injected code exactly begins, where it ends and the disinfection can be really harmful.. btw: the HJT log looks good..
-
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
Can you upload this file to VirusTotal and post the result...?
-
I was just about to post about your HJT log, but Maxx beat to it.
My question was: what cud be the true reason of why it cudn't repair infected files?
Maxx answered you better than I could have.
Wud it help more if I had Avast Pro installed?
No, the big difference between pro and home is one more provider and a few more scanning confiquration.
If some files are showing unrepairable but I need them, what to do? Try to "heal" them with other Antiviruses maybe?
As Maxx said they probably can't be cleaned.
What are the file names, full path and what where they detected as? Why do you need them?
-
there's a possibility to clean the files manually.. but a condition must be passed: you must be something like (so-called) "IT-pro" ;)
-
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
Can you upload this file to VirusTotal and post the result...?
I appreciate you are trying to help, but why do you think this is suspicious ?
If you run a HJT on your own system you will find similar results.
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
These are common entries.